The Collision Industry Conference (CIC)’s Data, Access, Privacy & Security Committee on Jan. 19 discussed with two attorneys the importance of establishing end-user license agreements with vendors and customer disclosures as best practices for shops when it comes to protecting customer personally identifiable information (PII).

Lawrence H. Pockers, a Philadelphia-based attorney with Duane Morris, said PII disclosure opens shops up to privacy liability.

“The unauthorized disclosure of a customer’s PII, whether intentional or not intentional, doesn’t factor into the analysis here, at least with respect to the comprehensive data privacy statutes that have been passed to date,” he said. “And most of the bills that are pending in legislatures today create a significant liability risk for repair shops.”

A couple of class action lawsuits he gave as examples were Greenley v. Avis Budget Group and Mollaei v. Otonomo. Plaintiffs in the first case contend that the rental car company didn’t adequately protect drivers’ PII that was collected when they paired their devices with the rentals. The second case, which was dismissed Jan. 18, alleged the data broker collected and sold PII without consent from the owners.

In the Otonomo case, “the judge’s rationale was even though there wasn’t really much to decide the case on was that the case was [about] a built-in component and so technically it was not attached to the vehicle and that was the reasoning for the decision,” Pockers said.

Customer PII can also be sold unbeknownst to shop owners and employees. For example, at the July 2022 CIC meeting, Society of Collision Repair Specialists Executive Director Aaron Schulenburg said that 86% of all quoted collision repair data could be available for sale, including everything from full name, home address, email, cell number, VIN, and insurance carrier by a collision industry data aggregation company that’s providing or selling the data to at least one third-party company to sell the information back to the industry.

Stamford-based attorney and Silver Golub & Teitell partner Steven Bloch, said the chain of custody of PII should be of the utmost importance to shops.

“Understanding the information that you’re sharing with your industry partners and your vendors through your various license agreements and the other transactions that you’re conducting with them first and foremost, of course, is the protection of the customer’s PII and that’s effectively the concern of the shops.

“What are their responsibilities there? What are the rules of the road and how are they conducting their operations with respect to protecting that customer PII? Shops are the entry point for this data and they hold responsibility under the various developing laws and regulations. …Many of the statutes have intentional provisions. Lots of the statutes don’t hold the shops to that standard. There are standards of negligence or simply strict liability. Once that information has been breached or disclosed improperly without customer disclosure and authorization and consent there is liability and exposure for the shops.”

Customer disclosures should state how PII will be used and must be tied to a specific purpose, he added. Examples of license agreement language include:

“We certainly recommend all shops to concert with their legal professionals and other consulting analysts to review your current contracts and your license agreements to determine what it is that you’ve provided as far as permission to your industry partners and your vendors,” Bloch said.

Bloch and Pockers said shops should put together a list of standard operating procedures and best practices that meet state laws and potential federal legislation for what has to be included in customer disclosures and notifications, guidelines for protecting PII, and getting customer consent.

“There’s no perfect solution and no way to prevent the use of the transaction of data down the supply chain when it winds up in the hands of data brokers improperly but you’ve got to take every protective or preventive measure you can,” Bloch said.

Committee Co-Chair Trent Tinsley added that shops can also follow the collision industry’s “Golden Rules” for data protection and sharing which were written by the committee in 2020 and adopted by CIC in 2021.

Bloch said both law firms can work with shops on writing customer data use documentation and make sure that the shop owners understand the agreements they have with their business partners.

“We can arm you with the ability, and potentially negotiate on your behalf, new license agreements or at least addenda or side agreements so that you’re better protected with your business partners,” Bloch said.

Proposed data protection laws

The Washington Post reports that at least 15 states have filed bills to protect consumer data.